On 5/17/25 9:55 AM, Andrew C Aitchison via mailop wrote:
How would the pulic CA know which user on your domain actually sent
the request ? Validation proves the domain but trusts that the domain
is honest about the localpart.
The same way that CAs have been providing S/MIME certificates for decades.
Send a nonce to the email address that's being validated and require
said nonce to be provided back to the CA in a form / reply / etc.
Let's Encrypt -- and likely other ACME CAs / clients -- doesn't support
this type of use case.
But their lack of support for the use case doesn't mean that the use
case isn't valid.
I can envision a fancier ACME (like) client wherein the client and
server exchange multiple messages and end up doing a Diffie-Hellman key
exchange to make it much, Much, MUCH, more likely that the client and
server are exchanging messages with each other. It's just that
communications (packets / messages) would be multi-modal and take longer
to complete. I see zero reason why this can't be done. -- People have
been playing chess by mail for a long Long LONG time. This is just a
different game of chess.
--
Grant. . . .
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
